b'                                  SENSITIVE BUT UNCLASSIFIED\n\n\n\n\n                   UNITED STATES DEPARTMENT OF STATE\n               AND THE BROADCASTING BOARD OF GOVERNORS\n                               OFFICE OF INSPECTOR GENERAL\n\n\nAUD-IT-IB-14-02                                  Office of Audits                                     October 2013\n\n\n\n\n      Audit of the Broadcasting Board of\n    Governors Information Security Program\n\n\n\n\nIMPORTANT NOTICE: This report is intended solely for the official use of the Department of State or the\nBroadcasting Board of Governors, or any agency or organization receiving a copy directly from the Office of\nInspector General. No secondary distribution may be made, in whole or in part, outside the Department of State or\nthe Broadcasting Board of Governors, by them or by other agencies of organizations, without prior authorization by\nthe Inspector General. Public availability of the document will be determined by the Inspector General under the\nU.S. Code, 5 U.S.C. 552. Improper disclosure of this report may result in criminal, civil, or administrative penalties.\n\n\n\n\n                                  SENSITIVE BUT UNCLASSIFIED\n\x0c                              SENSITIVE BUT UNCLASSIFIED\n                                                              0 mted States Department of State\n                                                              and the Broadcasting Board of Governors\n\n                                                              Office of lnspertor General\n\n\n\n\n                                          (U) PREFACE\n        (U) This report is being transmitted pursuant to the Inspector General Act of 1978, as\namended, and Section 209 of the Foreign Service Act of 1980, as amended. It is one of a series\nof audit, inspection, investigative, and special reports prepared as part of the Office of Inspector\nGeneral\'s (OIG) responsibility to promote effective management, accountability, and positive\nchange in the Department of State and the Broadcasting Board of Governors.\n\n       (U) In accordance with the Federal Information Security Management Act of 2002\n(FISMA), OIG performed an audit ofthe Broadcasting Board of Governors Information Security\nProgram for FY 2013 . .To perform this audit, OIG contracted with the independent public\naccountant Williams, Adley & Company, LLP. The audit report is based on interviews with\nemployees and officials of the Broadcasting Board of Governors, direct observation, and a\nreview of applicable documents.\n\n       (U) The independent public accountant identified areas in which improvements could be\nmade, including the risk management program, continuous monitoring, contingency planning,\nincident response and reporting, plans of actions and milestones, remote access management,\nconfiguration management, identity and access management, and security training and\nawareness.\n\n       (U) OIG evaluated the nature, extent, and timing of the independent public accountant\'s\nwork; monitored progress throughout the audit; reviewed supporting documentation; evaluated\nkey judgments; and performed other procedures as appropriate. OIG concurs with the findings,\nand the recommendations contained in the audit report were developed based on the best\nknowledge available and discussed in draft form with those individuals responsible for\nimplementation. OIG\'s analysis of management\'s response to the recommendations has been\nincorporated into the report. OIG trusts that this report will result in more effective, efficient,\nand/or economical operations.\n\n         (U) I express my appreciation to all of the individuals who contributed to the preparation\nof this report.\n\n\n\n\n                                       Steve A. Linick\n                                       Inspector General\n\n                              SENSITIVE BUT UNCLASSIFIED\n\x0c                             SENSITIVE BUT UNCLASSIFIED\n\n\n\n\n~l Y,.. WILLIAMS\nl ! J. 1 ADLEY\n          Audit of the Broadcasting Board of Governors Infonnation Security Program\n\nOctober 15, 2013\n\nOffice of Inspector General\nU.S. Department of State\nWashington, DC\n\nWilliams, Adley & Company-DC, LLP has performed an audit of the Broadcasting Board of\nGovemors\' (BBG) Information Security Program. We audited the BBG\'s compliance with the\nFederal Infotmation Security Management Act, Office of Management and Budget requirements,\nand National Institute of Standards and Technology standards. We performed this audit under\nContract No. SAQMMA 1OF2 159. The aud it was designed to meet the objectives described in\nthe repott.\n\nWe conducted this performance audit in accordance with Government Auditing Standards, issued\nby the Comptroller General of the United States. We communicated the resu lts of our aud it and\nthe related findings and recommendations to the U.S. Department of State and the Broadcasting\nBoard of Governors Office oflnspector General.\n\nWe appreciate the cooperation provided by BBG personnel during the audit.\n\n\n~u~~fY4, ~>l~L~ LLf\nWi lliams, Adle; &   C~ny-DC, LLP (j\n\n\n\n\n                                                                                                 \\\n\n\n\n\n                                WILLIAMS, ADLEY & COMPANY-DC, LLP\n                            Certified Public Accountants I Management Consultants\n        1030 15\'" Street, NW, Suite 350 West\xe2\x80\xa2 Washi ngton, DC 20005 \xe2\x80\xa2 (202) 371 -1397 \xe2\x80\xa2 Fax: (202) 371 -9161\n                                             www.wllliamsadley.com\n\n\n\n\n                                                              ii\n                             SENSITIVE BUT UNCLASSIFIED\n\x0c               SENSITIVE BUT UNCLASSIFIED\n\n\n(U) Acronyms\n(U) BBG        Broadcasting Board of Governors\n(U) CIO        Chief Information Officer\n(U) CTO        Chief Technology Officer\n(U) DHS        Department of Homeland Security\n(U) FIPS       Federal Information Processing Standards\n(U) FISMA      Federal Information Security Management Act\n(U) GAGAS      Generally Accepted Government Auditing Standards\n(U) IT         Information Technology\n(U) NIST       National Institute of Standards and Technology\n(U) OIG        Office of Inspector General\n(U) OMB        Office of Management and Budget\n(U) PIV        Personal Identity Verification\n(U) POA&M      Plans of Action and Milestones\n(U) SP         Special Publication\n(U) VPN        Virtual Private Network\n\n\n\n\n                               iii\n               SENSITIVE BUT UNCLASSIFIED\n\x0c                                            SENSITIVE BUT UNCLASSIFIED\n\n\n\n\n                                                    (U) Table of Contents\n\n(U) Section                                                                                                                         (U) Page\n\n(U) Executive Summary ................................................................................................................. 1\n\n\n(U)Background ............................................................................................................................... 2\n\n\n(U) Objective .................................................................................................................................. 3\n\n\n(U) Results of Audit ........................................................................................................................ 3\n   (U) Finding A. Risk Management ............................................................................................. 3\n   (U) Finding B. Continuous Monitoring Management ............................................................... 6\n   (U) Finding C. Contingency Planning ....................................................................................... 8\n   (U) Finding D. Incident Response and Reporting ..................................................................... 9\n   (U) Finding E. Plans of Action and Milestones ....................................................................... 10\n   (U) Finding F. Remote Access Management ........................................................................... 11\n   (U) Finding G. Configuration Management ............................................................................ 13\n   (U) Finding H. Identity and Access Management ................................................................... 15\n   (U) Finding I. Security Training and Awareness ..................................................................... 17\n   (U) Finding J. Compliance with FISMA ................................................................................. 18\n(U) List of Current Year Recommendations ................................................................................. 19\n\n(U) Appendices\n   (U) A. Scope and Methodology ................................................................................................ 21\n   (U) B. Followup of Recommendations from the FY 2012 Audit of the Broadcasting\n          Board of Governors Information Security Program ...................................................... 25\n   (U) C. Management Response .................................................................................................. 28\n\n\n\n\n                                                                       iv\n                                            SENSITIVE BUT UNCLASSIFIED\n\x0c                                 SENSITIVE BUT UNCLASSIFIED\n\n\n\n                                     (U) Executive Summary\n        (U) In accordance with the Federal Information Security Management Act of 2002\n          1\n(FISMA), the Office of Inspector General (OIG) contracted with Williams, Adley & Company-\nDC, LLP (referred to as \xe2\x80\x9cwe\xe2\x80\x9d in this report), to perform an independent audit of the Broadcasting\nBoard of Governors (BBG) Information Security Program\xe2\x80\x99s compliance with Federal laws,\nregulations, and standards established by FISMA, the Office of Management and Budget\n(OMB), and the National Institute of Standards and Technology (NIST). The results are\ndesigned to assist OIG in providing responses to the Department of Homeland Security (DHS)\nFY 2013 Inspector General Federal Information Security Management Act Reporting Metrics,\ndated November 30, 2012.\n                                            2\n        (U) The FY 2012 FISMA report contained nine recommendations intended to address\nsecurity deficiencies, and the most significant of these deficiencies involved BBG\xe2\x80\x99s security\nstandards and procedures, compliance enforcement authority, Plans of Action and Milestones\n(POA&M), and enterprise-wide and system-specific contingency plans. We reviewed BBG\xe2\x80\x99s\ncorrective actions to address weaknesses identified in OIG\xe2\x80\x99s FY 2012 FISMA report. BBG\nclosed four of nine recommendations in the FY 2012 report. The status of each recommendation\nfrom OIG\xe2\x80\x99s FY 2012 report is presented in Appendix B of this report.\n\n        (U) Since FY 2012, BBG has taken the following steps to improve management controls:\n\n        \xe2\x80\xa2   (U) Substantially improved the security awareness training compliance rate\n            achieving 100 percent in FY 2013.\n        \xe2\x80\xa2   (U) Improved the management of Active Directory to limit the amount of\n            expired and inactive user accounts on the domain.\n\n       (U) Overall, we found that BBG had implemented an information security program and\nhad made progress during FY 2013, but we identified control weaknesses that significantly\nimpacted the information security program. If these control weaknesses were exploited, BBG\ncould experience security breaches.\n\n        (U) Collectively, the control weaknesses we identified in this audit represent a significant\n                                                          3\ndeficiency, as defined by OMB Memorandum M-12-20, to enterprise-wide security. The\nweakened security controls could adversely affect the confidentiality, integrity, and availability\nof information and information systems. A further compounding factor is that BBG had not fully\ntaken corrective action to remediate all of the control weaknesses identified in the FY 2012\nFISMA report. This report contains 13 recommendations to address security deficiencies\nidentified in eleven reportable areas, and we believe the most significant security deficiencies are\nthe findings related to risk management framework (Finding A), continuous monitoring program\n(Finding B), enterprise-wide and system-specific contingency plan (Finding C), incident\n\n1 (U) Pub. L. No. 107-347, tit. III, 116 Stat. 2946 (2002).\n2 (U) Audit of the Broadcasting Board of Governors Information Security Program (AUD-IT-IB-13-04, Nov. 2012).\n3 (U) OMB Memorandum M-12-20, FY 2012 Reporting Instructions for the Federal Information Security\nManagement Act and Agency Privacy Management, Sept. 27, 2012.\n\n                                              1\n                                 SENSITIVE BUT UNCLASSIFIED\n\x0c                                   SENSITIVE BUT UNCLASSIFIED\n\nresponse and reporting program (Finding D), and the Plans of Action and Milestones (POA&M)\nprocess (Finding E). Following is a summary of the findings:\n\n           \xe2\x80\xa2\n                               4          5\n               (U) In FY 2010, FY 2011, FY 2012 and FY 2013, OIG reported that BBG\xe2\x80\x99s risk\n               management framework was not effective. (Finding A)\n           \xe2\x80\xa2   (U) In FY 2013, OIG identified that the Office of the Chief Information Officer/Chief\n               Technology Officer (CIO/CTO) did not have an overall continuous monitoring\n               program for the agency. (Finding B)\n           \xe2\x80\xa2   (U) BBG did not develop an enterprise-wide and system-specific contingency plan or\n               perform any contingency testing. (Finding C)\n           \xe2\x80\xa2   (U) BBG did not have effective incident response and reporting. (Finding D)\n           \xe2\x80\xa2   (U) In FY 2013, OIG found that POA&M entries were not fully completed. (Finding\n               E)\n           \xe2\x80\xa2   (U) The Enterprise Networks and Storage Division, under the Office of the CIO/CTO,\n               had not implemented procedures to ensure that remote access was granted only to\n               computers that have security safeguards that comply with BBG\xe2\x80\x99s policies and\n               procedures. (Finding F)\n    [Redacted] (b) (5)\n\n\n\n\n           \xe2\x80\xa2   (U) BBG did not have effective identity and access management of their information\n               systems. (Finding H)\n           \xe2\x80\xa2   (U) BBG did not have a policy for role-based training. (Finding I)\n\n       (U) In addition, OIG found that BBG was in compliance with the Capital Planning and\nContractor System requirements. (Finding J)\n\n                                           (U) Background\n        (U) BBG is an independent Federal agency supervising all U.S. Government-supported\ncivilian international media. Broadcasters within the BBG network include the Voice of\nAmerica, Radio Free Europe/Radio Liberty, the Middle East Broadcasting Networks, Radio Free\nAsia, and the Office of Cuba Broadcasting. BBG\xe2\x80\x99s mission is to inform, engage, and connect\npeople around the world in support of freedom and democracy.\n\n        (U) With the passage of FISMA, Congress recognized the importance of information\nsecurity to the economic and national security interests of the United States and required each\nFederal agency to develop, document, and implement an agency-wide program to provide\ninformation security for the information systems that support the operations and assets of the\nagency, including those provided or managed by another agency, contractor, or source. FISMA\n\n4 (U) Review of the Broadcasting Board of Governors Information Security Program (AUD/IT/IB-11-08, Nov.\n2010).\n5 (U) Evaluation of the Broadcasting Board of Governors Information Security Program (AUD/IT/IB-12-15, Nov.\n2011).\n\n                                                2\n                                   SENSITIVE BUT UNCLASSIFIED\n\x0c                                 SENSITIVE BUT UNCLASSIFIED\n\nprovides a comprehensive framework for establishing and ensuring the effectiveness of\nmanagement, operational, and technical controls over information technology (IT) that supports\nFederal operations and assets, and it provides a mechanism for improved oversight of Federal\nagency information security programs.\n\n         (U) On an annual basis, OMB provides guidance with reporting categories and questions\n                                                      6\nto meet the current year\xe2\x80\x99s reporting requirements. OMB uses responses to its questions to assist\nin its oversight responsibilities and to prepare its annual report to Congress on agency\ncompliance with FISMA.\n                                                                                                            7\n        (U) FISMA assigns specific responsibilities to Federal agencies, NIST, OMB and DHS\nto strengthen information system security. In particular, FISMA requires the head of each\nagency to implement policies and procedures to effectively reduce IT security risks to an\nacceptable level. To ensure the adequacy and effectiveness of information system controls,\nFISMA requires agency program officials, chief information officers, chief information security\nofficers, senior agency officials for privacy, and inspectors general to conduct annual reviews of\nthe agency\xe2\x80\x99s information security program and report the results to DHS.\n\n                                             (U) Objective\n       (U) The objective of this audit was to perform an independent evaluation of BBG\xe2\x80\x99s\ninformation security program and practices for FY 2013, which included testing the effectiveness\nof security controls for a subset of systems, as required.\n\n                                         (U) Results of Audit\n        (U) Overall, we found that BBG made progress in FY 2013 toward developing its\ninformation security program, but we identified control weaknesses that significantly impacted\nthe information security program. To improve the information security program and to bring the\nprogram into compliance with FISMA, OMB, and NIST requirements, BBG needs to address the\ncontrol weaknesses described.\n\n(U) Finding A. Risk Management\n        (U) In FY 2010, FY 2011, and FY 2012, OIG identified risk management framework\ndeficiencies in BBG\xe2\x80\x99s information security program. According to NIST Special Publication\n                        8\n(SP) 800-37, Revision 1, the risk management framework emphasizes:\n\n        (U) \xe2\x80\xa6 (i) building information security capabilities into federal information systems\n        through the application of state-of-the-practice management, operational, and technical\n6 (U) DHS FY 2013 Inspector General Federal Information Security Management Act Reporting Metrics, Nov.\n2012.\n7 (U) OMB Memorandum M-10-28, Clarifying Cybersecurity Responsibilities and Activities of the Executive Office\nof the President and Department of Homeland Security (DHS), July 6, 2010.\n8 (U) NIST SP 800-37, rev. 1, Guide for Applying the Risk Management Framework to Federal Information\nSystems, sec. 1.1, Feb. 2010.\n\n                                              3\n                                 SENSITIVE BUT UNCLASSIFIED\n\x0c                                     SENSITIVE BUT UNCLASSIFIED\n\n        security controls; (ii) maintaining awareness of the security state of information systems\n        on an ongoing basis though enhanced monitoring processes; and (iii) providing essential\n        information to senior leaders to facilitate decisions regarding the acceptance of risk to\n        organizational operations and assets, individuals, other organizations, and the Nation\n        arising from the operation and use of information systems.\n                                 9\n      (U) NIST SP 800-39 lists the four steps of the risk management process, which are Risk\nFraming, Risk Assessment, Risk Response, and Risk Monitoring.\n\n        (U) BBG\xe2\x80\x99s risk management framework was not effective. In FY 2013, OIG identified\nthe following deficiencies:\n\n        \xe2\x80\xa2    (U) For all three systems tested, the Information Security Management Division did\n             not adequately categorize system information types in the security plans. The\n             Information Security Management Division identified data elements within the\n                                                                                      10\n             security plans as \xe2\x80\x9cother\xe2\x80\x9d instead of using NIST SP 800-60, Revision 1, elements\n             such as Information System, Record Retention, and System and Network Monitoring.\n             According to Federal Information Processing Standard (FIPS) 199, 11 \xe2\x80\x9c\xe2\x80\xa6 the potential\n             impact values assigned to the respective security objectives (confidentiality, integrity,\n             availability) shall be the highest values (i.e., high water mark) from among those\n             security categories that have been determined for each type of information resident on\n             the information system.\xe2\x80\x9d Furthermore, NIST SP 800-60, Revision 1, 12 does not\n             include the category \xe2\x80\x9cother\xe2\x80\x9d as a valid information type.\n        \xe2\x80\xa2    (U) For all three systems tested, the Information Security Management Division did\n             not perform annual security control assessments. NIST SP 800-53, Revision 3, 13\n             states, \xe2\x80\x9cSubsequent to the initial authorization of the information system and in\n             accordance with OMB policy, the organization assesses a subset of the security\n             controls annually during continuous monitoring.\xe2\x80\x9d\n        \xe2\x80\xa2    (U) For two of three systems tested, the security plans did not include NIST SP 800-\n             53, Revision 3, controls. OMB M-10-15 14 states, \xe2\x80\x9cFor legacy information systems,\n             agencies are expected to be in compliance with NIST standards and guidelines within\n             one year of the publication date unless otherwise directed by OMB. The one year\n             compliance date for revisions to NIST publications applies only to the new and/or\n             updated material in the publications. For information systems under development or\n             for legacy systems undergoing significant changes, agencies are expected to be in\n             compliance with the NIST publications immediately upon deployment of the\n             information system.\xe2\x80\x9d\n\n9 (U) NIST SP 800-39, Managing Information Security Risk, app. E, March 2011.\n10 (U) NIST SP 800-60, rev. 1, Volume II: Appendices to Guide for Mapping Types of Information and Information\nSystems to Security Categories, Aug. 2008.\n11 (U) FIPS 199, Standards for Security Categorization of Federal Information and Information Systems, Feb. 2004.\n12 (U) NIST SP 800-60, rev. 1, sec. C.3.5, Information and Technology Management.\n13 (U) NIST SP 800-53, rev. 3, Recommended Security Controls for Federal Information Systems, CA-2 Security\nAssessments, Aug. 2009 (last updated May 2010).\n14 (U) OMB Memorandum M-10-15, FY 2010 Reporting Instructions for the Federal Information Security\nManagement Act and Agency Privacy Management, Section NIST Standards and Guidelines, April 2010.\n\n                                                  4\n                                     SENSITIVE BUT UNCLASSIFIED\n\x0c                                 SENSITIVE BUT UNCLASSIFIED\n\n\n        \xe2\x80\xa2   (U) BBG did not complete a Privacy Impact Assessment for its Privacy Information\n            Enclave. OMB M-12-20 15 states, \xe2\x80\x9cAlthough neither Section 208 of the E-\n            Government Act, nor OMB\'s implementing guidance mandate agencies conduct\n            [privacy impact assessments] on electronic systems containing information about\n            Federal employees (including contractors), OMB encourages agencies to scrutinize\n            their internal business processes and the handling of identifiable information about\n            employees to the same extent they scrutinize processes and information handling\n            procedures involving information collected from or about members of the public\n            (OMB Memorandum 03-22, Section ILB.3.a.).\xe2\x80\x9d\n\n        (U) According to a BBG management official, BBG had to focus on daily operations\ninstead of devoting resources to implementing a risk management framework for its information\nsystems. System Owners, Information Owners, and the CIO/CTO did not perform the data\ncategorization for BBG\xe2\x80\x99s systems. In addition, BBG management stated that the security\nauthorization automated system caused inaccurate data elements to be transferred over to the\nsecurity authorization packages. Finally, System Owners and the CIO/CTO used the outdated\n                              16\nNIST SP 800-53, Revision 2, controls, instead of the most current NIST SP 800-53, Revision 3,\ncontrols, to conduct the security authorization process.\n\n         (U) Without a risk management program, BBG cannot prioritize, assess, respond to, and\nmonitor information security risk, which leaves BBG vulnerable to outside attacks and insider\nthreats.\n\n        (U) Recommendation 1. OIG recommends that the System Owners, Information\n        Owners, and the Chief Information Officer/Chief Technology Officer assess the data\n        categorization for information systems, in accordance with Federal Information\n        Processing Standard 199, and implement the corresponding National Institute of\n        Standards and Technology Special Publication 800-53, Revision (Rev.) 3, controls, if\n        necessary.\n\n        (U) Management Response: BBG concurred with the recommendation, stating that it\n        will ensure that all FISMA systems are properly categorized and have implemented all\n        the necessary security controls provided in NIST SP 800-53, Revision 3.\n\n        (U) OIG Analysis: OIG considers the recommendation resolved. This recommendation\n        can be closed when OIG reviews and accepts documentation or evidence showing that all\n        FISMA systems are properly categorized and all necessary NIST SP 800-53, Revision 3,\n        security controls are implemented.\n\n        (U) Recommendation 2. OIG recommends that the System Owners and Chief\n        Information Officer/Chief Technology Officer prioritize resources to perform security\n        impact analyses to assess the differences in National Institute of Standards and\n\n\n\n15 (U) OMB Memorandum M-12-20, Sept. 27, 2012.\n16 (U) NIST SP 800-53, rev. 2, Recommended Security Controls for Federal Information Systems, Dec. 2007.\n\n\n                                              5\n                                 SENSITIVE BUT UNCLASSIFIED\n\x0c                                 SENSITIVE BUT UNCLASSIFIED\n\n        Technology Special Publication 800-53, Revision 3, control families and their impact to\n        the state of security on the systems and reauthorize the systems.\n\n        (U) Management Response: BBG concurred with the recommendation, stating that it\n        will update Security Assessment Reports and Risk Assessment Reports for all BBG\n        FISMA systems to ensure that all systems can be reauthorized.\n\n        (U) OIG Analysis: OIG considers the recommendation resolved. This recommendation\n        can be closed when OIG reviews and accepts documentation or evidence showing that all\n        FISMA system Security Assessment Reports and Risk Assessment Reports have been\n        updated.\n\n        (U) Recommendation 3. OIG recommends that the Broadcasting Board of Governors\n        prioritize resources to perform a privacy impact assessment for the Privacy Information\n        Enclave in accordance with Office of Management and Budget Memorandum M-12-20.\n\n        (U) Management Response: BBG concurred with the recommendation, stating that the\n        Chief Information Officer will prioritize resources to ensure that a privacy impact\n        analysis is performed for the Privacy Information Enclave.\n\n        (U) OIG Analysis: OIG considers the recommendation resolved. This recommendation\n        can be closed when OIG reviews and accepts documentation or evidence showing that a\n        privacy impact analysis has been performed for the Privacy Information Enclave.\n\n(U) Finding B. Continuous Monitoring Management\n                                 17\n       (U) NIST SP 800-137 states, \xe2\x80\x9cInformation security continuous monitoring is\nmaintaining ongoing awareness of information security, vulnerabilities, and threats to support\norganizational risk management decisions.\xe2\x80\x9d\n                                      18\n        (U) According to OMB guidance, \xe2\x80\x9cA well designed and well managed continuous\nmonitoring program can effectively transform an otherwise static and occasional security control\nassessment and risk determination process into a dynamic process that provides essential, near\nreal time security status related information\xe2\x80\x9d to senior leaders. Senior leaders can use this\ninformation to take \xe2\x80\x9cappropriate risk mitigation actions and make cost effective, risk based\ndecisions regarding the operation of their information systems.\xe2\x80\x9d\n\n       (U) In FY 2013, OIG found that although the Office of the CIO/CTO was in the process\nof implementing a continuous monitoring program with the acquisition of automated tools for\nvulnerability assessment and patch management, they did not have an overall continuous\nmonitoring program for the agency. Specifically, the continuous monitoring program did not\n\n\n17 (U) NIST SP 800-137, Information Security Continuous Monitoring for Federal Information Systems and\nOrganizations, Executive Summary, Sept. 2011.\n18 (U) OMB, Fiscal Year 2010 Report to Congress on the Implementation of The Federal Information Security\nManagement Act of 2002, sec. A. Continuous Monitoring and Remediation, March 2010.\n\n                                              6\n                                 SENSITIVE BUT UNCLASSIFIED\n\x0c                                   SENSITIVE BUT UNCLASSIFIED\n\naddress the assessment of selected security controls (including system-specific, hybrid, and\ncommon controls).\n                                                               19\n       (U) According to NIST SP 800-53, Revision 3, the organization establishes a continuous\nmonitoring strategy and implements a continuous monitoring program that includes a\nconfiguration management process, security impact analysis, ongoing security control\nassessment, and reporting the security state of the system to appropriate organizational officials.\n\n        (U) According to a BBG management official, the CIO/CTO in coordination with the\nInformation Security Management Division had to focus on daily operations instead of\nprioritizing resources to implement a continuous monitoring program strategy. Therefore, the\nagency did not finalize an enterprise-wide continuous monitoring program strategy to assist\nsystem owners in evaluating various control deficiencies.\n\n       (U) Not having a robust continuous monitoring program prevents an organization from\nunderstanding the security state of the information system over time. It also prevents the\norganization from effectively monitoring a dynamic network environment with changing threats,\nvulnerabilities, technologies, missions, and business functions. Without a well-designed and\nwell-managed continuous monitoring program, potential damage to the agency systems could\noccur which may result in system downtime, data manipulation/loss, or operational failure.\n\n          (U) Recommendation 4. OIG recommends that the Chief Information Officer/Chief\n          Technology Officer, in coordination with the Information Security Management\n          Division, finalize and implement an enterprise-wide continuous monitoring strategy that\n          includes a continuous monitoring policy and assesses the security state of information\n          systems in a manner consistent with Federal Information Security Management Act\n          requirements, Office of Management and Budget policy, and applicable National Institute\n          of Standards and Technology guidelines.\n\n          (U) Management Response: BBG concurred with the recommendation, stating that it is\n          reviewing NIST SP 800-53, Revision 4, guidance and planned to implement the new\n          features of the guidance in its continuous monitoring program, policies, and procedures.\n          In addition, BBG stated that its participation in the Continuous Diagnostic Mitigation\n          program sponsored by the Department of Homeland Security will strengthen its internal\n          monitoring controls.\n\n          (U) OIG Analysis: OIG considers the recommendation resolved. This recommendation\n          can be closed when OIG reviews and accepts documentation or evidence showing that\n          BBG has implemented features of NIST SP 800-53, Revision 4, as it relates to its\n          continuous monitoring program.\n\n\n\n\n19   (U) NIST SP 800-53, rev. 3, CA-7 Continuous Monitoring.\n\n                                                7\n                                   SENSITIVE BUT UNCLASSIFIED\n\x0c                                 SENSITIVE BUT UNCLASSIFIED\n\n\n(U) Finding C. Contingency Planning\n        (U) In FY 2010, FY 2011, and FY 2012, OIG reported that BBG did not develop and\nimplement contingency planning and testing policies and procedures compliant with NIST\nrequirements. Specifically, BBG did not complete its enterprise-wide and system-specific\n                                                                               20\ncontingency plans or conduct contingency tests. NIST SP 800-34, Revision 1, states,\n\xe2\x80\x9ccontingency planning refers to interim measures to recover information system services after a\ndisruption. Interim measures may include relocation of information systems and operations to an\nalternate site, recovery of information system functions using alternate equipment, or\nperformance of information system functions using manual methods.\xe2\x80\x9d\n\n         (U) In FY 2013, OIG concluded that BBG had not developed an enterprise-wide and\nsystem-specific contingency plan or performed any contingency testing. According to NIST SP\n                     21\n800-34, Revision 1, the document defines the following seven-step contingency process that an\nagency may apply to develop and maintain a viable contingency planning program for BBG\xe2\x80\x99s IT\nsystems: \xe2\x80\x9c(a) develop a contingency planning policy statement, (b) conduct a business impact\nanalysis, (c) identify preventive controls, (d) create contingency strategies, (e) develop an\ninformation system contingency plan, (f) ensure plan testing, training, exercises, and (g) ensure\n                                                                        22\nplan maintenance.\xe2\x80\x9d Also, according to NIST SP 800-53, Revision 3, the organization develops\na contingency plan for the information system that: identifies essential missions and business\nfunctions and associated contingency requirements; provides recovery objectives, restoration\npriorities, and metrics; addresses contingency roles, responsibilities, assigned individuals with\ncontact information; addresses maintaining essential missions and business functions despite an\ninformation system disruption, compromise, or failure; addresses eventual, full information\nsystem restoration without deterioration of the security measures originally planned and\nimplemented; and is reviewed and approved by designated officials within the organization.\n                                              23\nAccording to NIST SP 800-53, Revision 3, the organization \xe2\x80\x9c\xe2\x80\xa6 tests and/or exercises the\ncontingency plan for the information system.\xe2\x80\x9d\n\n        (U) According to a BBG management official, BBG\xe2\x80\x99s Office of the CIO/CTO had to\nfocus on daily operations instead of devoting resources to developing the contingency plans and\ntesting for BBG information systems. However, without an effective contingency plan, BBG\nmay be unable to access critical information and resources and perform mission critical business\nfunctions in the event of an extended outage and/or disaster. As a result, BBG may be unable to\nresume operations in an efficient and effective manner. BBG could not reconstitute operations if\nthere was an extended outage and/or disaster.\n\n        (U) Recommendation 5. OIG recommends that the Chief Information Officer/Chief\n        Technology Officer prioritize resources to complete entity-wide and system specific\n        contingency planning documents for all information systems and conduct necessary\n\n\n20 (U) NIST SP 800-34, rev. 1, Contingency Planning Guide for Federal Information Systems, Executive Summary,\nMay 2010.\n21 (U) Ibid, p. V.\n22 (U) NIST SP 800-53, rev. 3, CP-1 Contingency Planning Policy and Procedures and CP-2 Contingency Plan.\n23 (U) Ibid., CP-4 Contingency Planning Testing and Exercise.\n\n\n                                              8\n                                 SENSITIVE BUT UNCLASSIFIED\n\x0c                                   SENSITIVE BUT UNCLASSIFIED\n\n          testing in accordance with National Institute of Standards and Technology (NIST)\n          Special Publication (SP) 800-34, Revision 1, and NIST SP 800-53, Revision 3.\n\n          (U) Management Response: BBG concurred with the recommendation, stating that its\n          Disaster Recovery and Business Continuity Manager will continue the development and\n          planning of entity-wide and system specific contingency plans.\n\n          (U) OIG Analysis: OIG considers the recommendation resolved. This recommendation\n          can be closed when OIG reviews and accepts documentation or evidence showing a\n          complete entity-wide contingency plan and system specific contingency plans and testing\n          results.\n\n(U) Finding D. Incident Response and Reporting\n        (U) In FY 2010, FY 2011, and FY 2012, OIG identified security incident program\ndeficiencies in BBG\xe2\x80\x99s information security program. According to NIST SP 800-61, Revision\n  24\n2, incident response capability is necessary for rapidly detecting incidents, minimizing loss and\ndestruction, mitigating the weaknesses that were exploited, and restoring IT services. In April\n2013, BBG implemented RedMine as its primary incident tracking tool, which should increase\ndetection, and reporting capabilities within the agency.\n\n        (U) In FY 2013, OIG noted that BBG did not have effective incident response and\nreporting. Specifically, BBG\xe2\x80\x99s Computer Security Incident Management Policy did not have all\nof the following components in its incident response life cycle:\n\n          \xe2\x80\xa2    (U) Preparation.\n          \xe2\x80\xa2    (U) Detection and Analysis.\n          \xe2\x80\xa2    (U) Containment, Eradication and Recovery.\n          \xe2\x80\xa2    (U) Post-Incident Activity.\n\n       (U) According to a BBG management official, BBG\xe2\x80\x99s Information Security Management\nDivision had focused on daily operations instead of prioritizing resources to review a\ncomprehensive incident response policy that was compliant with Federal regulations. According\n                               25\nto NIST SP 800-61, Revision 2, establishing an incident response capability should include the\nfollowing actions:\n\n          \xe2\x80\xa2    (U) Creating an incident response policy and plan.\n          \xe2\x80\xa2    (U) Developing procedures for performing incident handling and reporting.\n          \xe2\x80\xa2    (U) Setting guidelines for communicating with outside parties regarding incidents.\n          \xe2\x80\xa2    (U) Selecting a team structure and staffing model.\n\n\n\n\n24   (U) NIST SP 800-61, rev. 2, Computer Security Incident Handling Guide, Executive Summary, Aug. 2012.\n25   (U) Ibid.\n\n                                                9\n                                   SENSITIVE BUT UNCLASSIFIED\n\x0c                                 SENSITIVE BUT UNCLASSIFIED\n\n\n        \xe2\x80\xa2   (U) Establishing relationships and lines of communication between the incident\n            response team and other groups, both internal (e.g., legal department) and external\n            (e.g., law enforcement agencies).\n        \xe2\x80\xa2   (U) Determining what services the incident response team should provide.\n\n        (U) BBG may not be detecting, identifying, containing, eradicating, and recovering from\nsecurity incidents. Lack of incident response and reporting could result in a shutdown of BBG\ninformation systems, which would affect its operational mission.\n\n        (U) Recommendation 6. OIG recommends that the Information Security Management\n        Division update and implement its incident response policy in accordance with National\n        Institute of Standards and Technology Special Publication 800-61, Revision 2.\n\n        (U) Management Response: BBG concurred with the recommendation, stating that it\n        will update and implement the incident response policy.\n\n        (U) OIG Analysis: OIG considers the recommendation resolved. This recommendation\n        can be closed when OIG reviews and accepts documentation or evidence showing that\n        BBG\xe2\x80\x99s incident response policy has been updated and implemented in accordance with\n        NIST SP 800-61, Revision 2.\n\n(U) Finding E. Plans of Action and Milestones\n       (U) In FY 2010, FY 2011, and FY 2012, OIG identified POA&M deficiencies in BBG\xe2\x80\x99s\ninformation security program. In FY 2013, OIG found that POA&M entries were not fully\n                                                    26\ncompleted. According to NIST SP 800-64, Revision 2,\n\n        (U) A POA&M is \xe2\x80\x9cA document that identifies tasks needing to be accomplished. It\n        details resources required to accomplish the elements of the plan, any milestones in\n        meeting the tasks, and scheduled completion dates for the milestones. The purpose of the\n        POA&M is to assist agencies in identifying, assessing, prioritizing, and monitoring the\n        progress of corrective efforts for security weaknesses found in programs and systems.\xe2\x80\x9d\n\n        (U) BBG\xe2\x80\x99s Office of the CIO/CTO had a deficient POA&M process. BBG failed to\n                           27\nadhere to its own policy of completing all the necessary elements of a POA&M. OIG found\nthat for five of five (100 percent) systems tested in the POA&M database, BBG did not\nadequately assign resources (including resource hours), add expected time for completion or add\nmilestone completion dates to remediate the security weaknesses and severity ratings for each\ncorrective action (i.e., significant deficiency, reportable condition, or other).\n\n       (U) According to a BBG management official, BBG\xe2\x80\x99s Office of the CIO/CTO had to\nfocus on daily operations instead of devoting resources to adhere to its POA&M policy.\n\n26(U) NIST SP 800-64, rev. 2, Security Considerations in the System Development Life Cycle, Oct. 2008.\n27(U) Information Security Plan of Action and Milestone (POA&M) Policy, May 2, 2010 (last updated Feb. 9,\n2012).\n\n                                             10\n                                 SENSITIVE BUT UNCLASSIFIED\n\x0c                                  SENSITIVE BUT UNCLASSIFIED\n\n         (U) BBG management will not have an accurate account of all system vulnerabilities, nor\nwill it be able to adequately prioritize resources to remediate identified vulnerabilities. As a\nresult, delays in the implementation of corrective actions may persist and leave information\nsystems vulnerable to outside attacks and insider threats.\n\n          (U) Recommendation 7. OIG recommends the Chief Information Officer/Chief\n          Technology Officer ensure that Broadcasting Board of Governors Plans of Action and\n          Milestones (POA&M) include all required elements in accordance with its Information\n          Security POA&M Policy, to include severity of the weakness, responsible organization,\n          estimated funding resources, completion date, key milestones and changes, source of the\n          weakness, and the status.\n\n          (U) Management Response: BBG concurred with the recommendation, stating that the\n          Chief Information Officer will update the elements within their POA&M tracking sheet\n          in an ongoing effort to improve internal information technology project governance.\n\n          (U) OIG Analysis: OIG considers the recommendation resolved. This recommendation\n          can be closed when OIG reviews and accepts documentation or evidence showing that\n          BBG has updated its POA&M tracking sheet with the required elements.\n\n(U) Finding F. Remote Access Management\n        (U) In FY 2010, FY 2011, and FY 2012, OIG identified remote access deficiencies in\nBBG\xe2\x80\x99s information security program. BBG\xe2\x80\x99s remote access Virtual Private Network (VPN)\nagreement allows users to access the BBG network using personally owned computers. In\naddition, the VPN Agreement requires each user to have anti-virus software with up-to-date virus\ndefinitions. Additionally, BBG had not implemented procedures to ensure that remote access\nwas granted only to computers that have proper security safeguards. According to OMB M-06-\n   28\n16, the agency owned mobile computers use multifactor authentication and hard drive\nencryption to compensate for the lack of physical security controls when information is removed\n                                                                                               29\nfrom or accessed from outside the BBG location. According to NIST SP 800-53, Revision 3,\n\xe2\x80\x9cMultifactor authentication is authentication using two or more factors to achieve authentication.\nFactors include: (i) something you know; (ii) something you have; or (iii) something you are.\xe2\x80\x9d\n\n       (U) The Enterprise Networks and Storage Division, under the Office of the CIO/CTO,\nhad not implemented procedures to ensure that remote access was granted only to computers that\nhave security safeguards that comply with BBG\xe2\x80\x99s policies and procedures.\n\n          (U) From a sample of 25 remote users tested, we identified the following deficiencies:\n\n          \xe2\x80\xa2   (U) One user did not have an appropriate access authorization form completed.\n          \xe2\x80\xa2   (U) Four users did not sign rules of behavior agreement form prior to gaining remote\n              access.\n\n28 (U)   OMB Memorandum M-06-16, Protection of Sensitive Agency Information, June 23, 2006.\n29   (U) NIST SP 800-53, rev. 3, app. B, Glossary.\n\n                                              11\n                                  SENSITIVE BUT UNCLASSIFIED\n\x0c                                   SENSITIVE BUT UNCLASSIFIED\n\n       (U) According to a BBG management official, BBG\xe2\x80\x99s Enterprise Networks and Storage\nDivision, under the Office of the CIO/CTO, had to focus on daily operations instead of devoting\nresources to implement remote access controls. In addition, BBG did not consider the\ninformation stored on removable media to be sensitive.\n\n        (U) BBG\xe2\x80\x99s VPN Agreement states, \xe2\x80\x9cBy using VPN technology with personal equipment,\nusers must understand that their computers are a de facto extension of the BBG network and\nsubject to the same rules and regulations that apply to BBG-owned equipment, i.e., their\ncomputers must be configured to comply with BBG security requirements.\xe2\x80\x9d The agreement\nfurther states, \xe2\x80\x9cAll computers connected to the BBG network via VPN must use up-to-date virus-\n                                                                         30\nscan and virus definitions.\xe2\x80\x9d According to NIST SP 800-53, Revision 3,\n\n          (U) \xe2\x80\x9cThe organization: (a) Documents allowed methods of remote access to the\n          information system; (b) Establishes usage restrictions and implementation guidance for\n          each allowed remote access method; (c) Monitors for unauthorized remote access to the\n          information system; (d) Authorizes remote access to the information system prior to\n          connection; and (e) Enforces requirements for remote connections to the information\n          system.\xe2\x80\x9d\n\n        (U) Without procedures that require the use of properly secured devices, BBG may be\nunable to ensure the security of its data and network when allowing access to authorized third-\nparty devices. The risks of introducing viruses, worms, or other malicious code into BBG\xe2\x80\x99s\nenterprise network are increased significantly resulting in a potential loss of data and/or\ncompromise of agency systems. Weak remote access controls could allow hackers access to the\nnetwork and insider threats could not be uniquely identified resulting in data spillage or system\ndestruction.\n\n          (U) Recommendation 8. OIG recommends that the Enterprise Networks and Storage\n          Division, under the Office of the Chief Information Officer/Chief Technology Officer,\n          implement procedures to assess the adequacy of the security configurations of mobile\n          computers that request access to the Broadcasting Board of Governors network and grant\n          access only to properly configured and patched devices in accordance with National\n          Institute of Standards and Technology Special Publication 800-53, Revision 3.\n\n          (U) Management Response: BBG concurred with the recommendation, stating that it\n          had acquired a network access control management tool and configuration of the tool is\n          pending.\n\n          (U) OIG Analysis: OIG considers the recommendation resolved. This recommendation\n          can be closed when OIG reviews and accepts documentation or evidence showing that\n          that the network access control management tool had been configured and implemented.\n\n\n\n\n30   (U) Ibid., AC-17 Remote Access.\n\n                                               12\n                                   SENSITIVE BUT UNCLASSIFIED\n\x0c                                     SENSITIVE BUT UNCLASSIFIED\n\n\n    (U) Finding G. Configuration Management\n           (U) OIG first reported in FY 2010 that BBG had not completed the development of\n    procedures that govern routine and critical security configuration management processes.\n                                    31\n    According to NIST SP 800-128,\n\n             (U) \xe2\x80\x9cConfiguration management comprises a collection of activities focused on\n             establishing and maintaining the integrity of products and systems, through control of the\n             processes for initializing, changing, and monitoring the configurations of those products\n             and systems.\xe2\x80\x9d Further, security-focused configuration management \xe2\x80\x9c\xe2\x80\xa6 is the\n             management and control of secure configurations for an information system to enable\n                                                              32\n             security and facilitate the management of risk.\xe2\x80\x9d\n\n            (U) In FY 2013, BBG implemented an entity-wide software deployment policy to\n    strengthen its configuration management process. However, BBG was still in the process of\n    gathering system information for the development of its standard security baseline\n    configurations. [Redacted] (b) (5)\n\n[Redacted] (b) (5)\n\n\n\n\n                                                  33\n            (U) NIST SP 800-53, Revision 3, states that the organization establishes and documents\n    mandatory configuration settings for information technology products employed within the\n    information system using organization-defined security configuration checklists that reflect the\n    most restrictive mode consistent with operational requirements; and identifies, documents, and\n    approves exceptions from the mandatory configuration settings for individual components within\n    the information system based on explicit operational requirements. NIST SP 800-53, Revision\n      34\n    3, also states, the organization identifies, reports, and corrects information system flaws.\n\n            (U) According to a BBG management official, BBG\xe2\x80\x99s IT management had to focus on\n    daily operations instead of devoting resources to developing procedures and guidance for\n    configuration management processes. OIG\xe2\x80\x99s vulnerability assessment was conducted at a time\n\n\n    31 (U) NIST SP 800-128, Guide for Security-Focused Configuration Management of Information Systems, 2.1.1,\n    Aug. 2011.\n    32 (U) Ibid., 2.1.3.\n    33 (U) NIST SP 800-53, rev. 3, CM-6 Configuration Settings.\n    34 (U) Ibid., SI-2 Flaw Remediation.\n\n\n                                                 13\n                                     SENSITIVE BUT UNCLASSIFIED\n\x0c                             SENSITIVE BUT UNCLASSIFIED\n\nwhen BBG was switching patching tools. [Redacted] (b) (5)\n\n\n        (U) Without proper implementation of policy and procedures that govern the\nperformance of routine and critical processes, BBG leaves its systems vulnerable to the denial of\nservice, damage to the general support system, or the potential introduction of security\nweaknesses. Potential damage to BBG systems could occur, which may result in system\ndowntime, data manipulation/loss, or operational failure.\n\n       (U) Recommendation 9. OIG recommends that the Chief Information Officer/Chief\n       Technology Officer verify that U.S. Government Configuration Baseline configuration\n       standards are implemented and compliance with the implemented standards is\n       periodically assessed in accordance with National Institute of Standards and Technology\n       Special Publication 800-53, Revision 3.\n\n       (U) Management Response: BBG concurred with the recommendation, stating that it\n       planned to use monitoring technology made available through the Department of\n       Homeland Security\xe2\x80\x99s Continuous Diagnostic Mitigation program to verify the\n       implementation and compliance of configuration standards in accordance with NIST SP\n       800-53, Revision 3.\n\n       (U) OIG Analysis: OIG considers the recommendation resolved. This recommendation\n       can be closed when OIG reviews and accepts documentation or evidence showing that\n       BBG has implemented U.S. Government Configuration Baseline standards and periodic\n       compliance assessment is performed.\n\n       (U) Recommendation 10. OIG recommends that the Chief Information Officer/Chief\n       Technology Officer follow the Broadcasting Board of Governors Change Management\n       Policy, to \xe2\x80\x9ctest and disseminate Microsoft operating system and application patches\n       released on the second Tuesday of each month in a way that ensures complete coverage\n       of workstations and laptops while avoiding operational downtime by rigorously testing\n       the patches prior to general release to ensure application compatibility and seamless\n       functionality.\xe2\x80\x9d\n\n       (U) Management Response: BBG concurred with the recommendation, stating that it\n       planned to use monitoring technology made available through the Department of\n       Homeland Security\xe2\x80\x99s Continuous Diagnostic Mitigation program to address the monthly\n       vulnerabilities on workstations and servers.\n\n       (U) OIG Analysis: OIG considers the recommendation resolved. This recommendation\n       can be closed when OIG reviews and accepts documentation or evidence showing that\n       critical patches have been implemented to address operating system and application\n       vulnerabilities.\n\n\n\n\n                                         14\n                             SENSITIVE BUT UNCLASSIFIED\n\x0c                                       SENSITIVE BUT UNCLASSIFIED\n\n\n      (U) Finding H. Identity and Access Management\n              (U) In FY 2010, FY 2011, and FY 2012, OIG identified deficiencies in BBG\xe2\x80\x99s identity\n      and access management of Active Directory accounts. Identification and authentication is\n      typically the first line of defense and used as a technical measure to prevent unauthorized access\n                                                                  35\n      to systems. Homeland Security Presidential Directive 12 is the policy of the United States to\n      enhance security, increase Government efficiency, reduce identity fraud, and protect personal\n      privacy by establishing a mandatory, Government-wide standard for secure and reliable forms of\n      identification issued by the Federal Government to its employees and contractors (including\n      contractor employees). The Office of Cuba Broadcasting accounts were not included in our test\n      review because of migration to the Microsoft Office 365 email system. These accounts were\n      segregated by BBG and undergoing maintenance due to the migration.\n\n              (U) In FY 2013, OIG found that although BBG had made significant improvements of\n      managing its Active Directory accounts, they still did not have effective identity and access\n      management of their information systems. Specifically, in FY 2013, excluding all accounts\n      undergoing migration at Office of Cuba Broadcasting, we observed the following control\n      deficiencies that had not been addressed by BBG\xe2\x80\x99s System Owners:\n[Redacted] (b) (5)\n\n\n\n\n              (U) Although the control deficiencies identified are minor in scale, they should be\n      promptly addressed because the weakest security point is where BBG is vulnerable to attack.\n      BBG management should develop a process that considers the identified Active Directory\n      vulnerabilities when developing or updating its identity and access management strategy and\n      policy.\n\n             (U) In addition, only 65 of 2,280 (3 percent) employees and contractors were issued\n      Personal Identity Verification (PIV) cards as of March 2013.\n\n              (U) According to the BBG\'s Identification and Authentication Policy and Password\n      Policy, system owners are responsible for implementing the policy and procedures for their IT\n      systems, including:\n\n\n      35(U) HSPD-12, Policy for a Common Identification Standard for Federal Employees and Contractors, Aug. 27,\n      2004.\n\n                                                   15\n                                       SENSITIVE BUT UNCLASSIFIED\n\x0c                                   SENSITIVE BUT UNCLASSIFIED\n\n\n           \xe2\x80\xa2     (U) Monitoring and taking actions to create and delete accounts.\n           \xe2\x80\xa2     (U) Creating processes to change user account passwords every 90 days.\n           \xe2\x80\xa2     (U) Creating processes to disable separating/terminating user accounts within 24\n                 hours of notification, and removing these disabled accounts within a week of\n                 notification, unless the Security Manager determines that removing the disabled\n                 account would adversely affect operations.\n           \xe2\x80\xa2     (U) Creating processes to review, quarterly, the use of guest, test, and shared\n                 accounts, and report such accounts and their justification to the Chief Information\n                 Security Officer. Unneeded accounts shall be disabled and/or deleted whenever\n                 possible.\n                                                              36\n         (U) Homeland Security Presidential Directive 12 mandates a Federal standard for secure\nand reliable forms of identification. According to item four of the directive, the heads of\nexecutive departments and agencies shall \xe2\x80\x9drequire the use of identification by Federal employees\nand contractors that meets the Standard in gaining physical access to Federally controlled\nfacilities and logical access to Federally controlled information systems.\xe2\x80\x9d\n\n        (U) System Owners did not utilize their resources to update Active Directory user\naccounts based on the results from the bi-weekly automated script. In addition, PIV cards were\nnot put in place because BBG purchased a Commercial Off the Shelf product in 2006 that was\nnot compatible with their legacy security system until March 2013, which prevented the use of\nPIV cards within the agency.\n\n        (U) Without effective identity and access management, the risk of unauthorized access is\nsignificantly increased. Unauthorized access may result in the submission of false transactions,\nimproper access to and dissemination of confidential data, and other malicious activities.\nPasswords can be easily hacked resulting in unauthorized access of BBG\xe2\x80\x99s information systems.\n\n           (U) Recommendation 11. OIG recommends that the Chief Information Officer/Chief\n           Technology Officer and System Owners ensure that user accounts are properly\n           maintained in accordance with Broadcasting Board of Governors (BBG) Identification\n           and Authentication Policy and the BBG/IBB/VOA Password Policy.\n\n           (U) Management Response: BBG concurred with the recommendation, stating that the\n           Chief Information Officer and System Owners will work together to strengthen\n           information technology processes for managing user accounts to ensure that accounts are\n           effectively managed in accordance with BBG\xe2\x80\x99s policies.\n\n           (U) OIG Analysis: OIG considers the recommendation resolved. This recommendation\n           can be closed when OIG reviews and accepts documentation or evidence showing that\n           accounts are effectively managed in accordance with BBG\xe2\x80\x99s policies.\n\n           (U) Recommendation 12. OIG recommends that the Office of Security, in coordination\n           with the Chief Information Officer/Chief Technology Officer, complete the issuance of\n\n36   (U) Ibid.\n\n                                               16\n                                   SENSITIVE BUT UNCLASSIFIED\n\x0c                                SENSITIVE BUT UNCLASSIFIED\n\n         Personal Identity Verification cards as required by Homeland Security Presidential\n         Directive 12.\n\n         (U) Management Response: BBG concurred with the recommendation, stating that it\n         will accelerate issuance of Personal Identification Verification cards to employees and\n         contractors as much as practical within budget constraints. The Chief Information\n         Officer will continue to assess progress and develop extensions into logical access\n         control.\n\n         (U) OIG Analysis: OIG considers the recommendation resolved. This recommendation\n         can be closed when OIG reviews and accepts documentation or evidence showing that\n         the Office of Security has completed the issuance of Personal Identification Verification\n         cards to employees and contractors.\n\n(U) Finding I. Security Training and Awareness\n        (U) In FY 2013, OIG found that although BBG had made progress over the past two\nyears to bring Security Awareness training compliance from 25 percent to 100 percent in FY\n                                                                          37\n2013, it still did not have a policy for role-based training. NIST 800-16 states, \xe2\x80\x9cFederal\nagencies and organizations cannot protect the integrity, confidentiality, and availability of\ninformation in today\xe2\x80\x99s highly networked systems environment without ensuring that each person\ninvolved understands their roles and responsibilities and is adequately trained to perform them.\xe2\x80\x9d\n\n          (U) Although the Information Security Management Division revised its security\nawareness-training program in July 2012 to include both online and in-person training, it did not\nhave a policy for role-based training. Therefore, key IT personnel with security responsibilities\nhad not taken specialized role-based security training. According to NIST SP 800-53, Revision\n3, 38 the organization provides role-based security-related training before authorizing access to the\nsystem or performing assigned duties and the frequency of training thereafter is organizationally-\ndefined.\n\n        (U) According to a BBG management official, BBG\xe2\x80\x99s Information Security Management\nDivision had to focus on daily operations instead of devoting resources to developing a policy\nand ensuring key personnel with security responsibilities receive adequate role-based\n(specialized) training.\n\n        (U) Without the completion of role-based annual security training, IT and security\npersonnel may be unaware of new risks that may compromise the confidentiality, integrity, and\navailability of data. Users could compromise the security of the network resulting in a loss of\noperations, compromise of Personally Identifiable Information and introduction of vulnerabilities\nto the system.\n\n\n\n37 (U) NIST SP 800-16, Information Technology Security Training Requirements: A Role- and Performance-Based\nModel, sec. 1.1, Apr. 1998.\n38 (U) NIST SP 800-53, rev. 3, AT-3.\n\n\n                                            17\n                                SENSITIVE BUT UNCLASSIFIED\n\x0c                              SENSITIVE BUT UNCLASSIFIED\n\n       (U) Recommendation 13. OIG recommends that the Information Security Management\n       Division, in coordination with the Chief Information Officer/Chief Technology Officer,\n       prioritize resources to develop and implement a role-based security training program in\n       accordance with National Institute of Standards and Technology Special Publication 800-\n       53, Revision 3.\n\n       (U) Management Response: BBG concurred with the recommendation, stating that it\n       will take steps to develop and implement a role-based information technology security\n       program in accordance with NIST Guidance.\n\n       (U) OIG Analysis: OIG considers the recommendation resolved. This recommendation\n       can be closed when OIG reviews and accepts documentation or evidence showing that\n       BBG has implemented a role-based information technology security program.\n\n(U) Finding J. Compliance with Federal Information Security Management\nAct Requirements\n       (U) In FY 2013, OIG found that BBG was in compliance with the Capital Planning and\nContractor System requirements. There were no prior year weaknesses that carried over to FY\n2013 for these two areas.\n\n       (U) For Contractor Systems, we noted that the agency had established a program to\noversee systems operated on its behalf by contractors or other entities, including organization\nsystems and services residing in the cloud external to the agency.\n\n        (U) For Capital Planning, there have been no major IT investments or capital investments\nfunding for the year. However, OIG suggests the Chief Information Officer/Chief Technology\nOfficer implement processes and procedures to cross-reference POA&M information, including\ncosts, to the capital planning budget process with a Unique Investment Identifier for any future\nIT acquisitions.\n\n\n\n\n                                          18\n                              SENSITIVE BUT UNCLASSIFIED\n\x0c                     SENSITIVE BUT UNCLASSIFIED\n\n\n             (U) List of Current Year Recommendations\n(U) Recommendation 1. OIG recommends that the System Owners, Information\nOwners, and the Chief Information Officer/Chief Technology Officer assess the data\ncategorization for information systems, in accordance with Federal Information\nProcessing Standard 199, and implement the corresponding National Institute of\nStandards and Technology Special Publication 800-53, Revision 3, controls, if necessary.\n\n(U) Recommendation 2. OIG recommends that the System Owners and Chief\nInformation Officer/Chief Technology Officer prioritize resources to perform security\nimpact analyses to assess the differences in National Institute of Standards and\nTechnology Special Publication 800-53, Revision 3, control families and their impact to\nthe state of security on the systems and reauthorize the systems.\n\n(U) Recommendation 3. OIG recommends that the Broadcasting Board of Governors\nprioritize resources to perform a privacy impact assessment for the Privacy Information\nEnclave in accordance with Office of Management and Budget Memorandum M-12-20.\n\n(U) Recommendation 4. OIG recommends that the Chief Information Officer/Chief\nTechnology Officer, in coordination with the Information Security Management\nDivision, finalize and implement an enterprise-wide continuous monitoring strategy that\nincludes a continuous monitoring policy and assesses the security state of information\nsystems in a manner consistent with Federal Information Security Management Act\nrequirements, Office of Management and Budget policy, and applicable National Institute\nof Standards and Technology guidelines.\n\n(U) Recommendation 5. OIG recommends that the Chief Information Officer/Chief\nTechnology Officer prioritize resources to complete entity-wide and system specific\ncontingency planning documents for all information systems and conduct necessary\ntesting in accordance with National Institute of Standards and Technology (NIST) Special\nPublication (SP) 800-34, Revision 1, and NIST SP 800-53, Revision 3.\n\n(U) Recommendation 6. OIG recommends that the Information Security Management\nDivision update and implement its incident response policy in accordance with National\nInstitute of Standards and Technology Special Publication 800-61, Revision 2.\n\n(U) Recommendation 7. OIG recommends the Chief Information Officer/Chief\nTechnology Officer ensure that Broadcasting Board of Governors Plans of Action and\nMilestones (POA&M) include all required elements in accordance with its Information\nSecurity POA&M Policy, to include severity of the weakness, responsible organization,\nestimated funding resources, completion date, key milestones and changes, source of the\nweakness, and the status.\n\n(U) Recommendation 8. OIG recommends that the Enterprise Networks and Storage\nDivision, under the Office of the Chief Information Officer/Chief Technology Officer,\nimplement procedures to assess the adequacy of the security configurations of mobile\n\n\n                                 19\n                     SENSITIVE BUT UNCLASSIFIED\n\x0c                     SENSITIVE BUT UNCLASSIFIED\n\ncomputers that request access to the Broadcasting Board of Governors network and grant\naccess only to properly configured and patched devices in accordance with National\nInstitute of Standards and Technology Special Publication 800-53, Revision 3.\n\n(U) Recommendation 9. OIG recommends that the Chief Information Officer/Chief\nTechnology Officer verify that U.S. Government Configuration Baseline configuration\nstandards are implemented and compliance with the implemented standards is\nperiodically assessed in accordance with National Institute of Standards and Technology\nSpecial Publication 800-53, Revision 3.\n\n(U) Recommendation 10. OIG recommends that the Chief Information Officer/Chief\nTechnology Officer follow the Broadcasting Board of Governors Change Management\nPolicy, to \xe2\x80\x9ctest and disseminate Microsoft operating system and application patches\nreleased on the second Tuesday of each month in a way that ensures complete coverage\nof workstations and laptops while avoiding operational downtime by rigorously testing\nthe patches prior to general release to ensure application compatibility and seamless\nfunctionality.\xe2\x80\x9d\n\n(U) Recommendation 11. OIG recommends that the Chief Information Officer/Chief\nTechnology Officer and System Owners ensure that user accounts are properly\nmaintained in accordance with Broadcasting Board of Governors (BBG) Identification\nand Authentication Policy and the BBG/IBB/VOA Password Policy.\n\n(U) Recommendation 12. OIG recommends that the Office of Security, in coordination\nwith the Chief Information Officer/Chief Technology Officer, complete the issuance of\nPersonal Identity Verification cards as required by Homeland Security Presidential\nDirective 12.\n\n(U) Recommendation 13. OIG recommends that the Information Security Management\nDivision, in coordination with the Chief Information Officer/Chief Technology Officer,\nprioritize resources to develop and implement a role-based security training program in\naccordance with National Institute of Standards and Technology Special Publication 800-\n53, Revision 3.\n\n\n\n\n                                 20\n                     SENSITIVE BUT UNCLASSIFIED\n\x0c                                 SENSITIVE BUT UNCLASSIFIED\n\n\n                                                                                           (U) Appendix A\n\n                                   (U) Scope and Methodology\n        (U) In order to fulfill its responsibilities related to the Federal Information Security\n                                        1\nManagement Act of 2002 (FISMA), the Office of Inspector General (OIG), Office of Audits,\ncontracted with Williams, Adley & Company-DC, LLP (referred to as \xe2\x80\x9cwe\xe2\x80\x9d in this appendix), an\nindependent public accountant, to evaluate the Broadcasting Board of Governors (BBG)\ninformation security program and practices to determine the effectiveness of such programs and\npractices for FY 2013.\n\n        (U) FISMA requires each Federal agency to develop, document, and implement an\nagency-wide program to provide information security for the information systems that support\nthe operations and assets of the agency, including those provided or managed by another agency\nor contractor or another source. To ensure the adequacy and effectiveness of these controls,\nFISMA requires the agency inspector general or an independent external auditor to perform\nannual reviews of the information security program and to report those results to the Office of\n                                                                                         2\nManagement and Budget (OMB) and the Department of Homeland Security (DHS). DHS uses\nthis data to assist in oversight responsibilities and to prepare its annual report to Congress\nregarding agency compliance with FISMA.\n\n       (U) We conducted the audit from April 2013 through September 2013. In addition, we\nperformed the audit in accordance with Generally Accepted Government Auditing Standards\n(GAGAS), FISMA, OMB, and National Institute of Standards and Technology (NIST) guidance.\nGAGAS require that we plan and perform the audit to obtain sufficient, appropriate evidence to\nprovide a reasonable basis for our findings and conclusions based on our audit objective. We\nbelieve that the evidence obtained provides a reasonable basis for our findings and conclusions\nbased on our audit objective.\n\n       (U) We used the following laws, regulations, and policies to evaluate the adequacy of the\ncontrols in place at BBG:\n\n        \xe2\x80\xa2\n                                                                           3\n            (U) DHS Inspector General FISMA Reporting Metrics.\n        \xe2\x80\xa2\n                                                                      4\n            (U) OMB Memoranda M-02-01, M-04-04, M-06-19, and M-12-20.\n\n\n1 (U) Pub. L. No. 107-347, tit. III, 116 Stat. 2946 (2002).\n2 (U) OMB Memorandum M-10-28, Clarifying Cybersecurity Responsibilities and Activities of the Executive Office\nof the President and Department of Homeland Security (DHS) July 6, 2010.\n3 (U) Department of Homeland Security\xe2\x80\x99s FY 2013 Inspector General Federal Information Security Management\nAct Reporting Metrics, dated Nov. 30, 2012.\n4 (U) OMB Memorandum M-02-01, Guidance for Preparing and Submitting Security Plans of Action and\n\nMilestones, Oct. 17, 2001; OMB Memorandum M-04-04, E-Authentication Guidance for Federal Agencies, Dec.\n16, 2003; OMB Memorandum M-06-19, Reporting Incidents Involving Personally Identifiable Information and\nIncorporating the Cost for Security in Agency Information Technology Investments, July 12, 2006; OMB\nMemorandum M-12-20, FY 2012 Reporting Instructions for the Federal Information Security Management Act and\nAgency Privacy Management, Sept. 27, 2012.\n\n                                             21\n                                 SENSITIVE BUT UNCLASSIFIED\n\x0c                                 SENSITIVE BUT UNCLASSIFIED\n\n\n        \xe2\x80\xa2   (U) BBG policies and procedures, such as the BBG Computer Security\n            Incident Management Policy.\n        \xe2\x80\xa2   (U) Federal laws, regulations, and standards, such as FISMA and those\n                                                             5\n            contained in OMB Circular No. A-130, Revised, and OMB Circular No. A-\n                6\n            11.\n        \xe2\x80\xa2   (U) NIST Special Publications, Federal Information Systems Processing\n            Publications (FIPS), other applicable NIST publications, and industry best\n            practices.\n\n      (U) During our audit, we assessed BBG\xe2\x80\x99s information security program policies,\nprocedures, and processes in the following areas:\n\n        \xe2\x80\xa2    (U) Continuous monitoring management\n        \xe2\x80\xa2    (U) Configuration management\n        \xe2\x80\xa2    (U) Identity and access management\n        \xe2\x80\xa2    (U) Incident response and reporting\n        \xe2\x80\xa2    (U) Risk management\n        \xe2\x80\xa2    (U) Security training\n        \xe2\x80\xa2    (U) Plans of action and milestones\n        \xe2\x80\xa2    (U) Remote access management\n        \xe2\x80\xa2    (U) Contingency planning\n        \xe2\x80\xa2    (U) Contractor systems\n        \xe2\x80\xa2    (U) Security capital planning\n\n       (U) The audit covered the period October 1, 2012, to September 30, 2013. During the\nfieldwork, we took the following actions:\n\n        \xe2\x80\xa2   (U) Determined the extent to which the BBG\xe2\x80\x99s information security plans,\n            programs, and practices complied with FISMA requirements; applicable\n            Federal laws, regulations, and standards; relevant OMB Circular No. A-\n            130, Revised processes and reporting requirements included in Appendix\n            III; and NIST and FIPS requirements.\n        \xe2\x80\xa2   (U) Reviewed relevant security programs and practices to report on the\n            effectiveness of BBG\xe2\x80\x99s agency-wide information security program in\n            accordance with OMB\xe2\x80\x99s annual FISMA reporting instructions. The audit\n            approach addressed the DHS FY 2013 Inspector General Federal Information\n            Security Management Act Reporting Metrics, dated November 30, 2012.\n        \xe2\x80\xa2   (U) Assessed programs for monitoring of security policy and program\n            compliance and responding to security events, e.g., unauthorized changes\n            detected by intrusion detection systems.\n        \xe2\x80\xa2   (U) Assessed the adequacy of internal controls related to the areas reviewed.\n            Control deficiencies identified during the review are included in this report.\n\n5 (U) OMB Circular No. A-130, Revised, Management of Federal Information Resources, app. III, Security of\nFederal Automated Information Resources, Nov. 30, 2000.\n6 (U) OMB Circular No. A-11, Preparation, Submission, and Execution of the Budget, Aug. 2011.\n\n\n                                             22\n                                 SENSITIVE BUT UNCLASSIFIED\n\x0c                             SENSITIVE BUT UNCLASSIFIED\n\n\n       \xe2\x80\xa2   (U) Evaluated BBG\xe2\x80\x99s remedial actions taken to address the previously\n           reported information security program control weaknesses identified in OIG\xe2\x80\x99s\n           Audit of the Broadcasting Board of Governors Information Security Program\n           (AUD/IT/IB-13-04, Nov. 2012).\n\n(U) Review of Internal Controls\n\n       (U) We reviewed BBG\xe2\x80\x99s internal controls to determine whether:\n\n       \xe2\x80\xa2   (U) The agency had established an enterprise-wide continuous monitoring\n           program that assessed the security state of information systems that were\n           consistent with FISMA requirements, OMB policy, and applicable NIST\n           guidelines.\n       \xe2\x80\xa2   (U) The agency had established and was maintaining a security configuration\n           management program that was consistent with FISMA requirements, OMB\n           policy, and applicable NIST guidelines.\n       \xe2\x80\xa2   (U) The agency had established and was maintaining an account and identity\n           management program that was generally consistent FISMA requirements,\n           OMB policy, and applicable NIST guidelines and which identified users and\n           network devices.\n       \xe2\x80\xa2   (U) The agency had established and was maintaining an incident response and\n           reporting program that was consistent with FISMA requirements, OMB\n           policy, and applicable NIST guidelines.\n       \xe2\x80\xa2   (U) The agency established a risk management program that was consistent\n           with FISMA requirements, OMB policy, and applicable NIST guidelines.\n       \xe2\x80\xa2   (U) The agency had established and was maintaining a security training\n           program that was consistent with FISMA requirements, OMB policy, and\n           applicable NIST guidelines.\n       \xe2\x80\xa2   (U) The agency had established a POA&M program that was consistent with\n           FISMA requirements, OMB policy, and applicable NIST guidelines and\n           tracked and monitored known information security weaknesses.\n       \xe2\x80\xa2   (U) The agency had established and was maintaining a remote access program\n           that was generally consistent with NIST\'s and OMB\'s FISMA requirements.\n       \xe2\x80\xa2   (U) The agency established and was maintaining an entity-wide business\n           continuity/disaster recovery program that was generally consistent with\n           NIST\'s and OMB\'s FISMA requirements.\n       \xe2\x80\xa2   (U) The agency had established a program to oversee systems operated on its\n           behalf by contractors or other entities, including agency systems and services\n           residing in the cloud external to the agency.\n       \xe2\x80\xa2   (U) The agency had established and maintained a capital planning and\n           investment program for information security.\n\n(U) Use of Computer-Processed Data\n\n       (U) During the audit, we utilized computer-processed data to obtain samples and\ninformation regarding the existence of information security controls. Specifically, we obtained\n\n                                         23\n                             SENSITIVE BUT UNCLASSIFIED\n\x0c                             SENSITIVE BUT UNCLASSIFIED\n\ndata extracted from Microsoft\xe2\x80\x99s Windows Active Directory and BBG\xe2\x80\x99s human resources system\nto test user account management controls. We assessed the reliability of computer-generated\ndata primarily by comparing selected data with source documents. We determined that the\ninformation was reliable for assessing the adequacy of related information security controls.\n\n(U) Sampling Methodology\n\n       (U) Generally, for a population of sample items, we used judgmental sampling to test 10\npercent of the population or 25, whichever is less. The 10 percent guidance is based on 10\npercent of a population of 250, which equals 25. Based on the internal control structure at BBG,\nwe determined that the planned assessed level of control risk was MODERATE.\n\n\n\n\n                                         24\n                             SENSITIVE BUT UNCLASSIFIED\n\x0c                             SENSITIVE BUT UNCLASSIFIED\n\n\n                                                                                (U) Appendix B\n\n       (U) Followup of Recommendations from the FY 2012 Audit of the\n       Broadcasting Board of Governors Information Security Program\n       (U) The audit team reviewed actions implemented by management to mitigate the\nfindings identified in the FY 2012 audit of the Broadcasting Board of Governors (BBG)\ninformation security program. The current status of each of the recommendations follows:\n\n(U) Recommendation 1. We recommend that the Chief Information Officer ensure that security\nconfiguration standards and procedures are completed, as required by the National Institute of\nStandards and Technology Special Publication 800-53, Revision 3.\n\n(U) Status: Closed from FY 2012 report; this repeat recommendation has become\nRecommendation 10 (Finding G) in the FY 2013 report.\n\n(U) Recommendation 2. We recommend that the Broadcasting Board of Governors develop\nand implement policies to require all agency entities with systems that connect to the\nBroadcasting Board of Governors network to abide by the security policies and requirements\nestablished by the Broadcasting Board of Governors Information Technology Department and\ngrant the Chief Information Officer the necessary authority to enforce consequences for\nnoncompliance.\n\n(U) Status: Closed. The Certification and Accreditation Policy and Procedures were revised in\nApril 2013 to designate BBG\xe2\x80\x99s Chief Information Officer as the Certifying Official for all Agency\nInformation Systems. Also, the Certification and Accreditation (C&A) Policy and Procedures\ndesignate the CIO as the accrediting official for all agency systems.\n\n(U) Recommendation 3. We recommend that the Chief Information Officer ensure that user\naccounts are properly configured and maintained in accordance with the Broadcasting Board of\nGovernors policies. If the Broadcasting Board of Governors determines that exceptions to the\nimplemented policies may be necessary, the Broadcasting Board of Governors should identify,\nassess, and document the associated risks. If the Broadcasting Board of Governors further\ndetermines that the identified risks are acceptable, the exceptions should be documented and\napproved by information technology management.\n\n(U) Status: Closed from FY 2012 report; this repeat recommendation has become\nRecommendation 12 (Finding H) in the FY 2013 report.\n\n(U) Recommendation 4. We recommend that the Chief Information Officer ensure that\nprocedures as stated within the Broadcasting Board of Governors Computer Security Incident\nManagement Policy are followed to ensure that security incidents are properly reported, as\nrequired by the United States Computer Emergency Readiness Team\xe2\x80\x99s Federal Incident\nReporting Guidelines.\n\n(U) Status: Closed. We reviewed the security incidents to ensure that they were properly\nreported to US-CERT.\n\n                                         25\n                             SENSITIVE BUT UNCLASSIFIED\n\x0c                             SENSITIVE BUT UNCLASSIFIED\n\n\n\n(U) Recommendation 5. We recommend that the Chief Information Officer develop and\nimplement a formal sanction process for personnel who do not successfully complete the security\nawareness training, as required by the National Institute of Standards and Technology Special\nPublication 800-53, Revision 3.\n\n(U) Status: Closed. BBG developed a formal sanction process to disable user accounts for users\nwho had not taken the Cyber Security Awareness training by the final due date. We inspected a\nsample of users, without exceptions, for the FY 2013 Cyber Security Awareness training to\nensure that they had taken their training by the due date.\n\n(U) Recommendation 6. We recommend the Chief Information Officer ensure that the\nBroadcasting Board of Governors Plans of Action and Milestones program is developed in\naccordance with its policy, which requires the Broadcasting Board of Governors Plans of Action\nand Milestones to include the data elements found in Office of Management and Budget\nMemorandum M-02-01.\n\n(U) Status: Closed from FY 2012 report; this repeat recommendation has become\nRecommendation 7 (Finding E) in the FY 2013 report.\n\n(U) Recommendation 7. We recommend that the Chief Information Officer implement\nprocedures to assess the adequacy of the security configurations of third-party devices that\nrequest access to the Broadcasting Board of Governors network and grant access only to properly\nconfigured devices, as required by the National Institute of Standards and Technology Special\nPublication 800-53, Revision 3.\n\n(U) Status: Closed from FY 2012 report; this repeat recommendation has become\nRecommendation 8 (Finding F) in the FY 2013 report.\n\n(U) Recommendation 8. We recommend that the Chief Information Officer ensure that the\nInformation Technology Director create and implement a standardized process to collect\ninformation used to develop and subsequently update the Broadcasting Board of Governors\nsystem inventory and update the general support system\xe2\x80\x99s security plan control for CM-8,\n\xe2\x80\x9cInformation System Component Inventory,\xe2\x80\x9d specifically, the organizationally defined frequency\nof inventory assessments, as required by the National Institute of Standards and Technology\nSpecial Publication 800-53, Revision 3.\n\n(U) Status: Closed. A full implementation of BBG\xe2\x80\x99s system inventory has been completed for the\nagency within the FootPrints application at BBG. We compared the BBG FISMA Information\nSystems and Accreditation Boundaries within the agency with the current list of systems\nprovided by BBG and noted no discrepancies.\n\n(U) Recommendation 9. We recommend that the Chief Information Officer ensure that the\nDirector of Disaster Recovery and Business Continuity develop and implement contingency\nplanning policies and procedures, develop contingency plans for the Broadcasting Board of\nGovernors infrastructure (network) and its major systems, provide contingency planning training\nto personnel who are responsible for the recovery of the network and systems, perform periodic\n\n                                         26\n                             SENSITIVE BUT UNCLASSIFIED\n\x0c                            SENSITIVE BUT UNCLASSIFIED\n\ntesting of the Broadcasting Board of Governors contingency plans, and update the plan based on\nlessons learned as required by National Institute of Standards and Technology Special\nPublication 800-34, Revision 1.\n\n(U) Status: Closed from FY 2012 report; this repeat recommendation has become\nRecommendation 5 (Finding C) in the FY 2013 report.\n\n\n\n\n                                        27\n                            SENSITIVE BUT UNCLASSIFIED\n\x0c                          SENSITIVE BUT UNCLASSIFIED\n\n\n                                                                                                       (U) Appendix C\n\n\n\n\n                                       .. Broadcasting Board of Governors\n                                         THE DIRECTOR OF THE\n                           U.S. INTERNATIONAL BROADCASTING BUREAU\n\n\n\n                                                   October I 0, 2013\n\nMr. Steve A. Linick\nInspector General\nDepartment of State\n\nDear Mr. Linick:\n\nThis is in response to the Office of Inspector General (OIG) draft report titled "Audit of the\nBroadcasting Board of Governors Information Security Program", Report Number AUD-IT-IB-\n13-XX issued September 2013.\n\nThe Broadcasting Board of Governors (BBG) has reviewed the report and provides its\nconcurrence to all recommendations as noted on the enclosure.\n\nWe thank you for the oppo11unity to respond to the report. If you have any questions, please feel\n                                                         [Redacted] (b) (2), [Redacted] (b) (6)\nfree to contact Ms. Carol Prahl at (202) 203-                        or Ms. Kelu Chao, Director, IBB Office of\n                                    [Redacted] (b) (2), [Redacted] (b) (6)\nPerformance Review at (202) 203-\n\n\n\n\nEnclosure: As Stated\n\n\n\n\n                 Cohm Building    \xe2\x80\xa2   330 Indepmdmce Aw:nue, SW       \xe2\x80\xa2     Washington, DC 20237\n\n\n\n\n                                      28\n                          SENSITIVE BUT UNCLASSIFIED\n\x0c                       SENSITIVE BUT UNCLASSIFIED\n\n\n\n\n                                                                                      Enclosure\n\n\n  BBG\'s Response to OIG\'s "Audit of the Broadcasting Boa rd of Governors Information\n                                                                                                    I!\n                                Security Program,"                                                  l\n                 Report Number AUD-IT-IB-13-:XX, September 2013\n                                                                                                    I\nRecommendation 1: OIG recommends that the System Owners, Information Owners, and the\nChieflnformation Officer/Chief Technology Officer assess the data categorization for\n                                                                                                    I\n                                                                                                    f\ninformation systems, in accordance with Federal Information Processing Standard 199, and\nimplement the corresponding National l nstituteofStandards and Technology Special Publication\n800-53, Revision 3, controls, if necessary.\n                                                                                                    I\nTS I Response (October 11, 2013): BBG concurs. The BBG will work to ensure all FISMA\nsystems arc properly categorized and have implemented all t he necessary security controls\nas provided in the National Institute of S tandards a nd Technology (N 1ST) S pecial\nPublication 800-53, Revision 3.\n\nRecommendation 2: OIG recommends that the System Owners and Chief Information\n                                                                                                    I\n                                                                                                    II\nOfficer/Chief Technology Officer prioritize resources to perform security impact analyses to\nassess the differences in National Institute of Standards and Technology Special Publication 800-\n53, Revision 3, control families and their impact to the state of security on the systems and\nreauthorize the systems.\n\nTSI Response !October II , 2013): BBG concurs. The BBG will update Security\n                                                                                                    r\nAssess ment Reports and Risk Assessment Reports for all BBG FISMA systems to ensure                 I\n\nthat all systems can be reauthorized per OIG\'s recommendation.\n\nRecommendation 3: OIG recommends that the Broadcasting Board of Governors prioritize\nresources to perform a privacy impact assessment for the Privacy Information Enclave in\naccordance with Office of Management and Budget Memorandum M-12-20.\n\nTSI Response (October II, 2013): BBG concurs. The CIO will prioritize resources to\nensure this privacy impact analysis is completed.\n\nRecommendation 4: OIG recommends that the Chieflnformation Officer/Chief Technology\nOfficer, in coordination with the Information Security Management Division, fmalize and\nimplement an enterprise-wide continuous monitoring strategy that includes a continuous\nmonitoring policy and assesses the security state of information systems in a manner consistent\nwith Federal Information Security Management Act requirements, Office of Management and\nBudget policy, and applicable National Institute of Standards and Technology guidelines.\n\nT SI Response (October II , 20 13): BBG concurs. The Agency is \xe2\x80\xa2\xc2\xb7evicwi ng the t\xc2\xb7ecently\nreleased NIST SOU-53 Revision 4 ~u id ancc and plans to implement the new features and\nflexibility of this guidance in BBG\'s continuous monitoring program, policies. and\nprocedures. In addition, BBG is participating in the Continuous Diagnostic Mitigation\n\n\n\n\n                                   29\n                       SENSITIVE BUT UNCLASSIFIED\n\x0c                      SENSITIVE BUT UNCLASSIFIED\n\n\n\n\n(C D ~I ) progra m sponsored by the Depa rtmen t of Homela nd Securi ty ( DI~ S). T he BBC\nfeels t he C OI\\1 progra m w ill strengthen the BBC\'s interna l monitori ng controls.\n\nRecommendation 5: OIG recommends that the Chieflnformation Officer/ChiefTechnology\nOfficer prioritize resources to complete entity-wide and system specific contingency planning\ndocuments for all information systems, and conduct necessary testing in accordance with\nNational Institute of Standards and Technology (NIST) Special Publication (SP) 800-34,\nRevision I, and NIST SP 800-53, Revision 3.\n\nTS I Response (October II. 20 13): BBC concurs. The BBC \'s Disaster Recovery and\nBusiness Continuity Manager will continue with policy development nnd planning to\naddress deficiencies. The CIO will continue to monitor progress with dr:tfl policies a nd\nprocedures.\n\nRecommenda tion 6: OIG recommends that the Information Security Management Division\nupdate and implement its incident response policy in accordance with National Institute of\nStandards and Technology Special Publication 800-61 , Revision 2.\n\nTSI Response (October\xc2\xb7 II, 2013): BBC concurs. The CIO w ill continue to expand on its\npolicies a nd workflows to implement its current policies.\n\nRecommendation 7: OIG recommends the Chieflnformation Officer/ChiefTechnology Officer\nensure that Broadcasting Board of Governors Plan of Action and Milestones (POA&M) include\nall required elements in accordance with its Information Security POA&M Policy, to include\nseverity of the weakness, responsible organization, estimated funding resources, completion date,\nkey milestones and changes, source of the weakness, and the status.\n\nTSI Response (October II , 2013): BBC concurs. T he C IO will C"-pand o n the da ta\nclements contained in the POA&I\\1 tracking sheet as efforts cont inue to mature the internal\nIT project governance.\n\nRecommendation 8: OIG recommends that the Enterprise Networks and Storage Division,\nunder the Office ofthe Chieflnformation Officer/Chief Technology Officer, implement\nprocedures to assess the adequacy of the security configurations of mobile computers that\nrequest access to the Broadcasting Board of Governors network and grant access only to properly\nconfigured and patched devices in accordance wit h National Institute of Standards and\nTechnology Special Publication 800-53, Revision 3.\n\nTS I Response !October II. 2013) : BBC concurs. The BBC has acquired a network access\ncontrol management tools a nd configuration I implementa tion of this tool is pending.\n\nRecommendation 9: OIG recommends that the Chieflnformation Officer/ChiefTechnology\nOfficer verify that U.S. Government Configuration Baseline configuration standards are\nimplemented and compliance with the implemented standards is periodically assessed in\naccordance with National Institute of Standards and Technology Special Publication 800-53,\nRevision 3.\n\n                                               1\n\n\n\n\n                                  30\n                      SENSITIVE BUT UNCLASSIFIED\n\x0c                       SENSITIVE BUT UNCLASSIFIED\n\n\n                                                                                                   ,\n                                                                                                   I\n                                                                                                   I\n\n\n\nTSI Response (October I I. 2013): BBC concurs. BBC plans to usc t he ruonitorin~\ntechnology made available through DHS \'s C D:\\1 pro~ram to verify implemcntntion nnd\n                                                                                                   Il\neomplinnce of configuration standnrds in necordanee "ith 1\\ IST Special Publication 800-\nS:l. Revision 3.                                                                                   i\n                                                                                                   I\nRecommendation 10: OIG recommends that the Chief Information Officer/ChiefTechnology\nOfficer follow the Broadcasting Board of Governors Change Management Policy, to \'\'test and\ndisseminate Microsoft operating system and application patches released on the second Tuesday\nof each month in a way that ensures complete coverage of workstations and laptops while\navoiding operational downtime by rigorously testing the patches prior to general release to\nensure app lication compatibility and seamless functionality."\n\nTS I Response (October I I, 2013): BBC concurs. BUG plans to usc the same DHS\nmonitorin g technology t\xc2\xb7eferred to in response to O IC recommendntion #9 to a ddress the\nmonthly vulnerability in the a~ency \'s workstations and ser vers.\n\nRecommendation 11: OIG recommends that the Chief Information Officer/Chief Technology\nOfficer and system owners ensure that user accounts are properly maintained in accordance with\nBroadcasting Board of Governors {BBG) Identification and Authentication Policy and the\nBBGIIBBNOA Password Policy.\n\nT SI Response (October I I, 20 13): BBC concurs. The C IO a nd s~stem owners witt revie"\nand strengthen IT processes that manage user accounts in a ccordance" ith BBC policies.\nBBC expects that these strengthened processes" ill eliminate the small number of account\nviolations tha t stiU exist.\n\nRecommendation 12: OIG recommends that the Office of Securit y, in coordination with the\nChief Information Officer/Chief Technology Officer, complete the issuance of Personal Identity\nVerification cards as required by Homeland Security Presidential Directive 12.\n\nTS I Response (October I I, 20 13): BBG concu t\xc2\xb7s. The BBG agrees to accelerate issuance\nof PIV cards to its employees and contractors as much as practical wi thin the budget\nconstra ints imposed on the Age ncy. The CIO will continue to assess p ro~-t ress and develop\nextensions into logical access control for t he Agency.\n\nRecommendation 13: OIG recommends that the Information Security\nManagement Division, in coordination with the Chieflnformation Officer/ChiefTechnology\nOfficer, prioritize resources to develop and implement a role-based security training program in\naccordance with National Institute of Standards and Technology Special Publication 800-53,\nRevision 3.\n\nTSI Response !October I I. 2013): BBC concurs. The C IO \\\\ill take steps to develop and\nimplement a ro le-hased IT security progn1m. \\\\ ithin hudget;lry limitations. in accordance\nwith NIST guidance. durin g FY 20 1-t.\n\n                                                2\n\n\n\n\n                                   31\n                       SENSITIVE BUT UNCLASSIFIED\n\x0cSENSITIVE BUT UNCLASSIFIED\n\n\n\n\n FRAUD, WASTE, ABUSE,\n OR MISMANAGEMENT\nOF FEDERAL PROGRAMS\n   HURTS EVERYONE.\n\n         CONTACT THE\n OFFICE OF INSPECTOR GENERAL\n            HOTLINE\n      TO REPORT ILLEGAL\n   OR WASTEFUL ACTIVITIES:\n\n\n         202-647-3320\n         800-409-9926\n      oighotline@state.gov\n          oig.state.gov\n\n   Office of Inspector General\n    U.S. Department of State\n         P.O. Box 9778\n     Arlington, VA 22219\n\n\n\n\nSENSITIVE BUT UNCLASSIFIED\n\x0c'